FTC Positions Itself to Increase/Enhance Information Security Enforcement Actions with Appointment of Chief Technologist
Tuesday, November 16, 2010
Print Mail Download i

Organizations that have failed to implement “reasonable and appropriate” information security measures sometimes find themselves on the wrong end of a Federal Trade Commission (FTC) allegation of unfair and deceptive trade practice. These enforcement actions have uniformly ended in a settlement that carried significant obligations and continued FTC oversight for as long as 20 years. We earlier reported on the increasing granularity of these actions in “Reasonable” Security: The FTC Requires It, But What is “Reasonable” Security?

In the course of taking these enforcement actions, the FTC has built an increasingly specific body of case law dictating the types of security lapses it deems “unfair” to consumers. A few examples taken from recent actions include:

  • Storing information for which the company no longer had any business need in multiple, unencrypted files that could be easily accessed with a commonly-known user ID and password
     
  • Transmitting personal information in clear text
     
  • Failing to require the use of strong passwords and separate passwords to access different programs, computers, and networks
     
  • Failing to require periodic changes of user credentials for persons with access to sensitive nonpublic information
     
  • Failing to suspend user credentials after a certain number of unsuccessful login attempts
     
  • Allowing employees to store passwords in email accounts
     
  • Failing to employ sufficient measures to detect and prevent unauthorized information access, such as an intrusion detection system and monitoring system logs

These allegations demonstrate the FTC’s increasingly granular approach to security –related enforcement. In a move that may signal a continuation of that trend, the FTC has just appointed Edward Felten, a Princeton University professor of computer science and public affairs, as its first chief technologist. As reported by The Washington Post (FTC names Princeton computer security expert as first chief technologist), Felten is expected to advise on both privacy and computer security matters. With this appointment, the FTC is well-equipped to continue and enhance its security-related enforcement activity. Organizations subject to FTC jurisdiction should follow future developments in FTC information security enforcement, but should also be mindful of the FTC’s previous complaints and ensure that their own security programs do not include the types of flaws that have attracted FTC attention in the past.

© 2024 Poyner Spruill LLP. All rights reserved.

Current Legal Analysis

More from Poyner Spruill LLP

Administrative Check-Up on Participant Plan Loans
by: Employment Law
Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know – and Do
by: Employment Law
Substantial Risk of Forfeiture: What Non-Profit and Governmental Employers Need to Know About IRS Guidance on Section 457 - Part 2
by: Employment Law , Kelsey H. Mayo
Deferred Compensation: What Non-Profit and Governmental Employers Need to Know About IRS Guidance on Section 457 - Part 1
by: Employment Law
NLRB Continues to Target Employers’ Social Media Policies
by: Employment Law
Hospice Providers – Step Up to the “MIC”
by: Iain M Stauffer
Final CMS Rule on the Reporting and Returning of Medicare Overpayments is a Wake-Up Call for Physicians
by: Wilson Hayman
Don't Be a Target -- Retirement Plan Fees and Expenses
by: Employment Law
EEOC Files First Two Lawsuits Challenging Sexual Orientation Discrimination
by: Employment Law
One Year Later: Avoiding Unfavorable Risk Weighting of Acquisition, Development, and Construction Loans for Commercial Real Estate Projects
by: Christopher S. Dwight

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins